
<!doctype html>
<html lang="en" class="no-js">
  <head>
    
      <meta charset="utf-8">
      <meta name="viewport" content="width=device-width,initial-scale=1">
      
      
      
      <link rel="icon" href="../../../../static/images/favicon.png">
      <meta name="generator" content="mkdocs-1.3.0, mkdocs-material-8.2.8">
    
    
      
        <title>异地组网之 IPSec VPN 快速部署 - WL4G DOCS</title>
      
    
    
      <link rel="stylesheet" href="../../../../assets/stylesheets/main.644de097.min.css">
      
        
        <link rel="stylesheet" href="../../../../assets/stylesheets/palette.e6a45f82.min.css">
        
      
    
    
    
      
        
        
        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
        <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
      
    
    
      <link rel="stylesheet" href="../../../../static/css/util.css">
    
    <script>__md_scope=new URL("../../../..",location),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
    
      

    
    
  </head>
  
  
    
    
      
    
    
    
    
    <body dir="ltr" data-md-color-scheme="default" data-md-color-primary="" data-md-color-accent="">
  
    
    
      <script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
    
    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
    <label class="md-overlay" for="__drawer"></label>
    <div data-md-component="skip">
      
        
        <a href="#ipsec-vpn" class="md-skip">
          Skip to content
        </a>
      
    </div>
    <div data-md-component="announce">
      
    </div>
    
      <div data-md-component="outdated" hidden>
        <aside class="md-banner md-banner--warning">
          
        </aside>
      </div>
    
    
      

<header class="md-header" data-md-component="header">
  <nav class="md-header__inner md-grid" aria-label="Header">
    <a href="../../../.." title="WL4G DOCS" class="md-header__button md-logo" aria-label="WL4G DOCS" data-md-component="logo">
      
  <img src="../../../../static/images/mylogo.jpeg" alt="logo">

    </a>
    <label class="md-header__button md-icon" for="__drawer">
      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg>
    </label>
    <div class="md-header__title" data-md-component="header-title">
      <div class="md-header__ellipsis">
        <div class="md-header__topic">
          <span class="md-ellipsis">
            WL4G DOCS
          </span>
        </div>
        <div class="md-header__topic" data-md-component="header-topic">
          <span class="md-ellipsis">
            
              异地组网之 IPSec VPN 快速部署
            
          </span>
        </div>
      </div>
    </div>
    
      <form class="md-header__option" data-md-component="palette">
        
          
          
          <input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="" data-md-color-accent=""  aria-label="Switch to dark mode"  type="radio" name="__palette" id="__palette_1">
          
            <label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_2" hidden>
              <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 6H7c-3.31 0-6 2.69-6 6s2.69 6 6 6h10c3.31 0 6-2.69 6-6s-2.69-6-6-6zm0 10H7c-2.21 0-4-1.79-4-4s1.79-4 4-4h10c2.21 0 4 1.79 4 4s-1.79 4-4 4zM7 9c-1.66 0-3 1.34-3 3s1.34 3 3 3 3-1.34 3-3-1.34-3-3-3z"/></svg>
            </label>
          
        
          
          
          <input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="" data-md-color-accent=""  aria-label="Switch to light mode"  type="radio" name="__palette" id="__palette_2">
          
            <label class="md-header__button md-icon" title="Switch to light mode" for="__palette_1" hidden>
              <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 7H7a5 5 0 0 0-5 5 5 5 0 0 0 5 5h10a5 5 0 0 0 5-5 5 5 0 0 0-5-5m0 8a3 3 0 0 1-3-3 3 3 0 0 1 3-3 3 3 0 0 1 3 3 3 3 0 0 1-3 3z"/></svg>
            </label>
          
        
      </form>
    
    
      <div class="md-header__option">
        <div class="md-select">
          
          <button class="md-header__button md-icon" aria-label="Select language">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="m12.87 15.07-2.54-2.51.03-.03A17.52 17.52 0 0 0 14.07 6H17V4h-7V2H8v2H1v2h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04M18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12m-2.62 7 1.62-4.33L19.12 17h-3.24z"/></svg>
          </button>
          <div class="md-select__inner">
            <ul class="md-select__list">
              
                <li class="md-select__item">
                  <a href="/en/" hreflang="en" class="md-select__link">
                    English
                  </a>
                </li>
                
                <li class="md-select__item">
                  <a href="/zh/" hreflang="zh" class="md-select__link">
                    简体中文
                  </a>
                </li>
                
            </ul>
          </div>
        </div>
      </div>
    
    
      <label class="md-header__button md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
      </label>
      <div class="md-search" data-md-component="search" role="dialog">
  <label class="md-search__overlay" for="__search"></label>
  <div class="md-search__inner" role="search">
    <form class="md-search__form" name="search">
      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
      <label class="md-search__icon md-icon" for="__search">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg>
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg>
      </label>
      <nav class="md-search__options" aria-label="Search">
        
        <button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41z"/></svg>
        </button>
      </nav>
      
        <div class="md-search__suggest" data-md-component="search-suggest"></div>
      
    </form>
    <div class="md-search__output">
      <div class="md-search__scrollwrap" data-md-scrollfix>
        <div class="md-search-result" data-md-component="search-result">
          <div class="md-search-result__meta">
            Initializing search
          </div>
          <ol class="md-search-result__list"></ol>
        </div>
      </div>
    </div>
  </div>
</div>
    
    
  </nav>
  
</header>
    
    <div class="md-container" data-md-component="container">
      
      
        
          
            
<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
  <div class="md-tabs__inner md-grid">
    <ul class="md-tabs__list">
      
        
  
  


  
  
  
    <li class="md-tabs__item">
      <a href="../../../.." class="md-tabs__link">
        Getting Started
      </a>
    </li>
  

      
    </ul>
  </div>
</nav>
          
        
      
      <main class="md-main" data-md-component="main">
        <div class="md-main__inner md-grid">
          
            
              
              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
                <div class="md-sidebar__scrollwrap">
                  <div class="md-sidebar__inner">
                    

  


  

<nav class="md-nav md-nav--primary md-nav--lifted md-nav--integrated" aria-label="Navigation" data-md-level="0">
  <label class="md-nav__title" for="__drawer">
    <a href="../../../.." title="WL4G DOCS" class="md-nav__button md-logo" aria-label="WL4G DOCS" data-md-component="logo">
      
  <img src="../../../../static/images/mylogo.jpeg" alt="logo">

    </a>
    WL4G DOCS
  </label>
  
  <ul class="md-nav__list" data-md-scrollfix>
    
      
      
      

  
  
  
    
    <li class="md-nav__item md-nav__item--nested">
      
      
        <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_1" data-md-state="indeterminate" type="checkbox" id="__nav_1" checked>
      
      
      
      
        <label class="md-nav__link" for="__nav_1">
          Getting Started
          <span class="md-nav__icon md-icon"></span>
        </label>
      
      <nav class="md-nav" aria-label="Getting Started" data-md-level="1">
        <label class="md-nav__title" for="__nav_1">
          <span class="md-nav__icon md-icon"></span>
          Getting Started
        </label>
        <ul class="md-nav__list" data-md-scrollfix>
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../.." class="md-nav__link">
        Introduction
      </a>
    </li>
  

            
          
            
              
  
  
  
    <li class="md-nav__item">
      <a href="../../../../ABOUT_CN/" class="md-nav__link">
        About
      </a>
    </li>
  

            
          
        </ul>
      </nav>
    </li>
  

    
  </ul>
</nav>
                  </div>
                </div>
              </div>
            
            
          
          <div class="md-content" data-md-component="content">
            <article class="md-content__inner md-typeset">
              
                


<h1 id="ipsec-vpn">异地组网之 IPSec VPN 快速部署<a class="headerlink" href="#ipsec-vpn" title="Permanent link">&para;</a></h1>
<ul>
<li>
<p>相关文章1：<a href="https://blogs.wl4g.com/archives/3333">新一代高性能 Full Connects VPN 服务 WireGuard 快速部署</a></p>
</li>
<li>
<p>相关文章2：<a href="https://blogs.wl4g.com/archives/3754">异地组网之 OpenVPN 快速部署</a></p>
</li>
<li>
<p>相关文章3：<a href="https://blogs.wl4g.com/archives/3869">异地组网之 PPTP 快速部署 (ubuntu 20.04+pptpd+pptp-linux+win10)</a></p>
</li>
</ul>
<p>目前流行的 VPN 组网方案有 OpenVPN、IPSec/L2TP、WireGuard等，相比也各有优缺点，当然都支持 Linux、Windows、Android、iOS，本文先做一个简单对比，然后再列出 IPesc 的搭建过程相关的实用资料。</p>
<ul>
<li>
<p><a href="https://openvpn.net/community/">OpenVPN</a> 功能较强大但配置较复杂、采用用户空间+中心服务转发的机制实现，性能会有一定损失；</p>
</li>
<li>
<p>IPSec/L2TP 相比 OpenVPN 类似，但相对部署就比较简单了，如使用 <a href="https://github.com/wl4g-collect/ipsec-vpn-server">github.com/hwdsl2/ipsec-vpn-server</a> 的 docker 镜像一键部署（支持 IKEv2），更多关于 IPSec 底层协议族请参见：https://zh.wikipedia.org/wiki/IPsec</p>
</li>
<li>
<p><a href="https://www.wireguard.com">WireGuard</a> 出来较晚有后发优势，优点是采用去中心化 peer-to-peer in UDP 架构，在 linux 上采用内和空间实现，性能最好，非常适合云原生异地多数据中心、边缘计算等场景组网，且 linux kernel &gt;=5.6 内置，缺点是安装条件较苛刻，如kernel版本要求，当然在 Windows 上有用户空间实现可作为普通用户的 VPN 工具（这种场景就对性能要求没那么高），再就是 UDP 打洞的机制可能会被运营商干扰。</p>
</li>
</ul>
<h2 id="1-ipsec-server">1. IPSec Server 搭建<a class="headerlink" href="#1-ipsec-server" title="Permanent link">&para;</a></h2>
<h3 id="11">1.1 启动服务<a class="headerlink" href="#11" title="Permanent link">&para;</a></h3>
<ul>
<li>参见：<a href="https://github.com/wl4g-collect/docker-ipsec-vpn-server#quick-start">基于 Linux Docker IPSec 部署</a></li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1"></a><a href="#__codelineno-0-1"><span class="linenos" data-linenos="1 "></span></a>docker run <span class="se">\</span>
<a id="__codelineno-0-2" name="__codelineno-0-2"></a><a href="#__codelineno-0-2"><span class="linenos" data-linenos="2 "></span></a>    --name ipsec-vpn-server <span class="se">\</span>
<a id="__codelineno-0-3" name="__codelineno-0-3"></a><a href="#__codelineno-0-3"><span class="linenos" data-linenos="3 "></span></a>    --restart<span class="o">=</span>always <span class="se">\</span>
<a id="__codelineno-0-4" name="__codelineno-0-4"></a><a href="#__codelineno-0-4"><span class="linenos" data-linenos="4 "></span></a>    -v ikev2-vpn-data:/etc/ipsec.d <span class="se">\</span>
<a id="__codelineno-0-5" name="__codelineno-0-5"></a><a href="#__codelineno-0-5"><span class="linenos" data-linenos="5 "></span></a>    -v /lib/modules:/lib/modules:ro <span class="se">\</span>
<a id="__codelineno-0-6" name="__codelineno-0-6"></a><a href="#__codelineno-0-6"><span class="linenos" data-linenos="6 "></span></a>    -p <span class="m">500</span>:500/udp <span class="se">\</span>
<a id="__codelineno-0-7" name="__codelineno-0-7"></a><a href="#__codelineno-0-7"><span class="linenos" data-linenos="7 "></span></a>    -p <span class="m">4500</span>:4500/udp <span class="se">\</span>
<a id="__codelineno-0-8" name="__codelineno-0-8"></a><a href="#__codelineno-0-8"><span class="linenos" data-linenos="8 "></span></a>    -d --privileged <span class="se">\</span>
<a id="__codelineno-0-9" name="__codelineno-0-9"></a><a href="#__codelineno-0-9"><span class="linenos" data-linenos="9 "></span></a>    hwdsl2/ipsec-vpn-server
</code></pre></div>
<h3 id="12">1.2 管理客户端证书<a class="headerlink" href="#12" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1"></a><a href="#__codelineno-1-1"><span class="linenos" data-linenos=" 1 "></span></a>docker <span class="nb">exec</span> -it ipsec-vpn-server bash
<a id="__codelineno-1-2" name="__codelineno-1-2"></a><a href="#__codelineno-1-2"><span class="linenos" data-linenos=" 2 "></span></a>
<a id="__codelineno-1-3" name="__codelineno-1-3"></a><a href="#__codelineno-1-3"><span class="linenos" data-linenos=" 3 "></span></a><span class="c1"># 列出所有客户端证书</span>
<a id="__codelineno-1-4" name="__codelineno-1-4"></a><a href="#__codelineno-1-4"><span class="linenos" data-linenos=" 4 "></span></a>sudo ikev2.sh --listclients
<a id="__codelineno-1-5" name="__codelineno-1-5"></a><a href="#__codelineno-1-5"><span class="linenos" data-linenos=" 5 "></span></a>
<a id="__codelineno-1-6" name="__codelineno-1-6"></a><a href="#__codelineno-1-6"><span class="linenos" data-linenos=" 6 "></span></a><span class="c1"># 添加客户端证书</span>
<a id="__codelineno-1-7" name="__codelineno-1-7"></a><a href="#__codelineno-1-7"><span class="linenos" data-linenos=" 7 "></span></a>sudo ikev2.sh --addclient <span class="o">[</span>client name<span class="o">]</span>
<a id="__codelineno-1-8" name="__codelineno-1-8"></a><a href="#__codelineno-1-8"><span class="linenos" data-linenos=" 8 "></span></a>
<a id="__codelineno-1-9" name="__codelineno-1-9"></a><a href="#__codelineno-1-9"><span class="linenos" data-linenos=" 9 "></span></a><span class="c1"># 导出客户端证书</span>
<a id="__codelineno-1-10" name="__codelineno-1-10"></a><a href="#__codelineno-1-10"><span class="linenos" data-linenos="10 "></span></a>sudo ikev2.sh --exportclient <span class="o">[</span>client name<span class="o">]</span>
<a id="__codelineno-1-11" name="__codelineno-1-11"></a><a href="#__codelineno-1-11"><span class="linenos" data-linenos="11 "></span></a>
<a id="__codelineno-1-12" name="__codelineno-1-12"></a><a href="#__codelineno-1-12"><span class="linenos" data-linenos="12 "></span></a><span class="c1"># 吊销客户端证书</span>
<a id="__codelineno-1-13" name="__codelineno-1-13"></a><a href="#__codelineno-1-13"><span class="linenos" data-linenos="13 "></span></a>sudo ikev2.sh --revokeclient <span class="o">[</span>client name<span class="o">]</span>
<a id="__codelineno-1-14" name="__codelineno-1-14"></a><a href="#__codelineno-1-14"><span class="linenos" data-linenos="14 "></span></a>
<a id="__codelineno-1-15" name="__codelineno-1-15"></a><a href="#__codelineno-1-15"><span class="linenos" data-linenos="15 "></span></a><span class="c1"># 永久删除客户端证书（注：一般吊销即可）</span>
<a id="__codelineno-1-16" name="__codelineno-1-16"></a><a href="#__codelineno-1-16"><span class="linenos" data-linenos="16 "></span></a>sudo ikev2.sh --deleteclient <span class="o">[</span>client name<span class="o">]</span>
</code></pre></div>
<ul>
<li><a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#列出已有的客户端">更多 ikev2.sh 使用请参考</a></li>
</ul>
<h3 id="13">1.3 其他管理命令<a class="headerlink" href="#13" title="Permanent link">&para;</a></h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1"></a><a href="#__codelineno-2-1"><span class="linenos" data-linenos="1 "></span></a>docker <span class="nb">exec</span> -it ipsec-vpn-server bash
<a id="__codelineno-2-2" name="__codelineno-2-2"></a><a href="#__codelineno-2-2"><span class="linenos" data-linenos="2 "></span></a>
<a id="__codelineno-2-3" name="__codelineno-2-3"></a><a href="#__codelineno-2-3"><span class="linenos" data-linenos="3 "></span></a><span class="c1"># 查看当前连接客户端的流量状态</span>
<a id="__codelineno-2-4" name="__codelineno-2-4"></a><a href="#__codelineno-2-4"><span class="linenos" data-linenos="4 "></span></a>ipsec trafficstatus
<a id="__codelineno-2-5" name="__codelineno-2-5"></a><a href="#__codelineno-2-5"><span class="linenos" data-linenos="5 "></span></a>
<a id="__codelineno-2-6" name="__codelineno-2-6"></a><a href="#__codelineno-2-6"><span class="linenos" data-linenos="6 "></span></a><span class="c1"># 查看服务进程指标</span>
<a id="__codelineno-2-7" name="__codelineno-2-7"></a><a href="#__codelineno-2-7"><span class="linenos" data-linenos="7 "></span></a>ipsec globalstatus
</code></pre></div>
<h3 id="14-ikev2">1.4 更改 IKEv2 服务器地址<a class="headerlink" href="#14-ikev2" title="Permanent link">&para;</a></h3>
<p>在某些情况下，你可能需要在配置之后更改 IKEv2 服务器地址。例如切换为使用域名，或者在服务器的 IP 更改之后。请注意，你在 VPN 客户端指定的服务器地址必须与 IKEv2 辅助脚本输出中的服务器地址 <strong><em>完全一致</em></strong>，否则客户端可能无法连接。</p>
<ul>
<li>更改服务器地址，运行 辅助脚本 并按提示操作。</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1"></a><a href="#__codelineno-3-1"><span class="linenos" data-linenos="1 "></span></a>wget https://get.vpnsetup.net/ikev2addr -O ikev2addr.sh
<a id="__codelineno-3-2" name="__codelineno-3-2"></a><a href="#__codelineno-3-2"><span class="linenos" data-linenos="2 "></span></a>sudo bash ikev2addr.sh
</code></pre></div>
<ul>
<li><strong><em>重要：</em></strong> 运行此脚本后，你必须手动更新任何现有 IKEv2 客户端设备上的服务器地址以及 Remote ID（如果适用）。对于 iOS 客户端，你需要使用 IKEv2 辅助脚本 导出然后重新导入客户端配置。</li>
</ul>
<h3 id="15-vpn">1.5 自定义 VPN 子网<a class="headerlink" href="#15-vpn" title="Permanent link">&para;</a></h3>
<p>默认情况下，IPsec/L2TP VPN 客户端将使用内部 VPN 子网 192.168.42.0/24，而 IPsec/XAuth ("Cisco IPsec") 和 IKEv2 VPN 客户端将使用内部 VPN 子网 192.168.43.0/24。有关更多详细信息，请阅读上一节。</p>
<p>对于大多数用例，没有必要也 不建议 自定义这些子网。但是，如果你的用例需要它，你可以在安装 VPN 时指定自定义子网。</p>
<p>重要： 你只能在 初始 VPN 安装时 指定自定义子网。如果 IPsec VPN 已安装，你 必须 首先 卸载 VPN，然后指定自定义子网并重新安装。否则，VPN 可能会停止工作。</p>
<ul>
<li>示例：为 IPsec/L2TP 模式指定自定义 VPN 子网</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1"></a><a href="#__codelineno-4-1"><span class="linenos" data-linenos="1 "></span></a><span class="c1"># 注：必须指定所有三个变量。</span>
<a id="__codelineno-4-2" name="__codelineno-4-2"></a><a href="#__codelineno-4-2"><span class="linenos" data-linenos="2 "></span></a>sudo <span class="nv">VPN_L2TP_NET</span><span class="o">=</span><span class="m">10</span>.1.0.0/16 <span class="se">\</span>
<a id="__codelineno-4-3" name="__codelineno-4-3"></a><a href="#__codelineno-4-3"><span class="linenos" data-linenos="3 "></span></a><span class="nv">VPN_L2TP_LOCAL</span><span class="o">=</span><span class="m">10</span>.1.0.1 <span class="se">\</span>
<a id="__codelineno-4-4" name="__codelineno-4-4"></a><a href="#__codelineno-4-4"><span class="linenos" data-linenos="4 "></span></a><span class="nv">VPN_L2TP_POOL</span><span class="o">=</span><span class="m">10</span>.1.0.10-10.1.254.254 <span class="se">\</span>
<a id="__codelineno-4-5" name="__codelineno-4-5"></a><a href="#__codelineno-4-5"><span class="linenos" data-linenos="5 "></span></a>sh vpn.sh
</code></pre></div>
<ul>
<li>示例：为 IPsec/XAuth 和 IKEv2 模式指定自定义 VPN 子网</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1"></a><a href="#__codelineno-5-1"><span class="linenos" data-linenos="1 "></span></a><span class="c1"># 注：必须指定以下两个变量。</span>
<a id="__codelineno-5-2" name="__codelineno-5-2"></a><a href="#__codelineno-5-2"><span class="linenos" data-linenos="2 "></span></a>sudo <span class="nv">VPN_XAUTH_NET</span><span class="o">=</span><span class="m">10</span>.2.0.0/16 <span class="se">\</span>
<a id="__codelineno-5-3" name="__codelineno-5-3"></a><a href="#__codelineno-5-3"><span class="linenos" data-linenos="3 "></span></a><span class="nv">VPN_XAUTH_POOL</span><span class="o">=</span><span class="m">10</span>.2.0.10-10.2.254.254 <span class="se">\</span>
<a id="__codelineno-5-4" name="__codelineno-5-4"></a><a href="#__codelineno-5-4"><span class="linenos" data-linenos="4 "></span></a>sh vpn.sh
</code></pre></div>
<h3 id="16-vpn">1.6 VPN 客户端分流<a class="headerlink" href="#16-vpn" title="Permanent link">&para;</a></h3>
<ul>
<li><a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/advanced-usage-zh.md#vpn-分流">VPN 客户端分流参见</a></li>
</ul>
<h2 id="2-ipsec-clients">2. IPSec Clients 安装<a class="headerlink" href="#2-ipsec-clients" title="Permanent link">&para;</a></h2>
<ul>
<li>IPSec/L2TP 模式即 IKEv1</li>
<li>IKEv2（推荐）</li>
</ul>
<h3 id="21-windows-10-and-8-gui-ipsecl2tpipsecxauth">2.1 Windows 10 and 8 GUI 客户端配置（IPsec/L2TP或IPsec/XAuth模式）<a class="headerlink" href="#21-windows-10-and-8-gui-ipsecl2tpipsecxauth" title="Permanent link">&para;</a></h3>
<ul>
<li>参见：<a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/clients-zh.md#windows-10-and-8">Windows 10-and-8 GUI 客户端配置（IPsec/L2TP或IPsec/XAuth模式）</a></li>
</ul>
<h3 id="22-windows-ikev2">2.2 Windows 命令行客户端配置（IKEv2模式）<a class="headerlink" href="#22-windows-ikev2" title="Permanent link">&para;</a></h3>
<ul>
<li>
<p><a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#其它已知问题">解决在 Windows 自带 VPN GUI 客户端可能不支持 IKEv2 模式连接</a></p>
</li>
<li>
<p>自动导入配置（Windows 8 / 10 / 11）（简单推荐）</p>
</li>
<li>
<p>将生成的 .p12 文件安全地传送到你的计算机。</p>
</li>
<li>右键单击 <a href="https://github.com/hwdsl2/vpn-extras/releases/latest/download/ikev2_config_import.cmd">github:ikev2_config_import.cmd</a> 或 <a href="https://gitee.com/wl4g/blogs/raw/master/docs/articles/operation/ipsec-vpn-deploy/resources/ikev2_config_import.cmd">blogs:ikev2_config_import.cmd</a> 并保存这个辅助脚本到与 .p12 文件 相同的文件夹。</li>
<li>右键单击保存的脚本，选择 属性。单击对话框下方的 解除锁定，然后单击 确定。</li>
<li>
<p>右键单击保存的脚本，选择 以管理员身份运行 并按提示操作。</p>
</li>
<li>
<p><a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#手动导入配置">手动导入配置</a>（较繁琐可靠）</p>
</li>
</ul>
<h3 id="23-linux-gui-ikev2">2.3 Linux GUI 客户端配置（IKEv2模式）<a class="headerlink" href="#23-linux-gui-ikev2" title="Permanent link">&para;</a></h3>
<ul>
<li>
<p>参见：<a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#linux">Linux GUI 客户端配置 IPSec</a></p>
</li>
<li>
<p><strong><em>前提条件：</em></strong> 在配置 Linux GUI 客户端之前，你必须更改 VPN 服务器上的以下设置：编辑服务器上的 <code>/etc/ipsec.d/ikev2.conf</code>。在 <code>conn ikev2-cp</code> 小节的末尾添加 <code>authby=rsa-sha1</code>，开头必须空两格。保存文件并运行 <code>service ipsec restart</code></p>
</li>
<li>
<p>安装客户端 GUI</p>
</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1"></a><a href="#__codelineno-6-1"><span class="linenos" data-linenos=" 1 "></span></a><span class="c1"># Ubuntu and Debian</span>
<a id="__codelineno-6-2" name="__codelineno-6-2"></a><a href="#__codelineno-6-2"><span class="linenos" data-linenos=" 2 "></span></a>sudo apt-get update
<a id="__codelineno-6-3" name="__codelineno-6-3"></a><a href="#__codelineno-6-3"><span class="linenos" data-linenos=" 3 "></span></a>sudo apt-get install network-manager-strongswan
<a id="__codelineno-6-4" name="__codelineno-6-4"></a><a href="#__codelineno-6-4"><span class="linenos" data-linenos=" 4 "></span></a>
<a id="__codelineno-6-5" name="__codelineno-6-5"></a><a href="#__codelineno-6-5"><span class="linenos" data-linenos=" 5 "></span></a><span class="c1"># Arch Linux</span>
<a id="__codelineno-6-6" name="__codelineno-6-6"></a><a href="#__codelineno-6-6"><span class="linenos" data-linenos=" 6 "></span></a>sudo pacman -Syu  <span class="c1"># 升级所有软件包</span>
<a id="__codelineno-6-7" name="__codelineno-6-7"></a><a href="#__codelineno-6-7"><span class="linenos" data-linenos=" 7 "></span></a>sudo pacman -S networkmanager-strongswan
<a id="__codelineno-6-8" name="__codelineno-6-8"></a><a href="#__codelineno-6-8"><span class="linenos" data-linenos=" 8 "></span></a>
<a id="__codelineno-6-9" name="__codelineno-6-9"></a><a href="#__codelineno-6-9"><span class="linenos" data-linenos=" 9 "></span></a><span class="c1"># Fedora</span>
<a id="__codelineno-6-10" name="__codelineno-6-10"></a><a href="#__codelineno-6-10"><span class="linenos" data-linenos="10 "></span></a>sudo yum install NetworkManager-strongswan-gnome
<a id="__codelineno-6-11" name="__codelineno-6-11"></a><a href="#__codelineno-6-11"><span class="linenos" data-linenos="11 "></span></a>
<a id="__codelineno-6-12" name="__codelineno-6-12"></a><a href="#__codelineno-6-12"><span class="linenos" data-linenos="12 "></span></a><span class="c1"># CentOS</span>
<a id="__codelineno-6-13" name="__codelineno-6-13"></a><a href="#__codelineno-6-13"><span class="linenos" data-linenos="13 "></span></a>sudo yum install epel-release
<a id="__codelineno-6-14" name="__codelineno-6-14"></a><a href="#__codelineno-6-14"><span class="linenos" data-linenos="14 "></span></a>sudo yum --enablerepo<span class="o">=</span>epel install NetworkManager-strongswan-gnome
</code></pre></div>
<ul>
<li>提取 CA 证书，客户端证书和私钥。在完成后可以删除 .p12 文件</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1"></a><a href="#__codelineno-7-1"><span class="linenos" data-linenos="1 "></span></a><span class="c1"># 注：你可能需要输入 import password，它可以在 IKEv2 辅助脚本的输出中找到。</span>
<a id="__codelineno-7-2" name="__codelineno-7-2"></a><a href="#__codelineno-7-2"><span class="linenos" data-linenos="2 "></span></a><span class="c1"># 如果在脚本的输出中没有 import password，请按回车键继续。</span>
<a id="__codelineno-7-3" name="__codelineno-7-3"></a><a href="#__codelineno-7-3"><span class="linenos" data-linenos="3 "></span></a>openssl pkcs12 -in vpnclient.p12 -cacerts -nokeys -out ikev2vpnca.cer
<a id="__codelineno-7-4" name="__codelineno-7-4"></a><a href="#__codelineno-7-4"><span class="linenos" data-linenos="4 "></span></a>openssl pkcs12 -in vpnclient.p12 -clcerts -nokeys -out vpnclient.cer
<a id="__codelineno-7-5" name="__codelineno-7-5"></a><a href="#__codelineno-7-5"><span class="linenos" data-linenos="5 "></span></a>openssl pkcs12 -in vpnclient.p12 -nocerts -nodes  -out vpnclient.key
</code></pre></div>
<ul>
<li><a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#linux">更多配置请参见</a></li>
</ul>
<h3 id="24-linux-ipsecl2tpipsecxauth">2.4 Linux 命令行客户端配置（IPsec/L2TP或IPsec/XAuth模式）<a class="headerlink" href="#24-linux-ipsecl2tpipsecxauth" title="Permanent link">&para;</a></h3>
<ul>
<li>
<p>strongSwan 是完整的IPsec解决方案： <a href="https://docs.strongswan.org/docs/5.9/howtos/introduction.html">docs.strongswan.org/docs/5.9/howtos/introduction.html</a></p>
</li>
<li>
<p>安装客户端</p>
</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1"></a><a href="#__codelineno-8-1"><span class="linenos" data-linenos="1 "></span></a><span class="c1"># Ubuntu and Debian</span>
<a id="__codelineno-8-2" name="__codelineno-8-2"></a><a href="#__codelineno-8-2"><span class="linenos" data-linenos="2 "></span></a>apt-get update
<a id="__codelineno-8-3" name="__codelineno-8-3"></a><a href="#__codelineno-8-3"><span class="linenos" data-linenos="3 "></span></a>apt-get install strongswan xl2tpd net-tools
<a id="__codelineno-8-4" name="__codelineno-8-4"></a><a href="#__codelineno-8-4"><span class="linenos" data-linenos="4 "></span></a><span class="c1"># Fedora</span>
<a id="__codelineno-8-5" name="__codelineno-8-5"></a><a href="#__codelineno-8-5"><span class="linenos" data-linenos="5 "></span></a>yum install strongswan xl2tpd net-tools
<a id="__codelineno-8-6" name="__codelineno-8-6"></a><a href="#__codelineno-8-6"><span class="linenos" data-linenos="6 "></span></a><span class="c1"># CentOS</span>
<a id="__codelineno-8-7" name="__codelineno-8-7"></a><a href="#__codelineno-8-7"><span class="linenos" data-linenos="7 "></span></a>yum install epel-release
<a id="__codelineno-8-8" name="__codelineno-8-8"></a><a href="#__codelineno-8-8"><span class="linenos" data-linenos="8 "></span></a>yum --enablerepo<span class="o">=</span>epel install strongswan xl2tpd net-tools
</code></pre></div>
<ul>
<li>创建 VPN 变量（替换为你自己的值）：</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1"></a><a href="#__codelineno-9-1"><span class="linenos" data-linenos="1 "></span></a><span class="nv">VPN_SERVER_IP</span><span class="o">=</span><span class="s1">&#39;你的VPN服务器IP&#39;</span>
<a id="__codelineno-9-2" name="__codelineno-9-2"></a><a href="#__codelineno-9-2"><span class="linenos" data-linenos="2 "></span></a><span class="nv">VPN_IPSEC_PSK</span><span class="o">=</span><span class="s1">&#39;你的IPsec预共享密钥&#39;</span>
<a id="__codelineno-9-3" name="__codelineno-9-3"></a><a href="#__codelineno-9-3"><span class="linenos" data-linenos="3 "></span></a><span class="nv">VPN_USER</span><span class="o">=</span><span class="s1">&#39;你的VPN用户名&#39;</span>
<a id="__codelineno-9-4" name="__codelineno-9-4"></a><a href="#__codelineno-9-4"><span class="linenos" data-linenos="4 "></span></a><span class="nv">VPN_PASSWORD</span><span class="o">=</span><span class="s1">&#39;你的VPN密码&#39;</span>
</code></pre></div>
<ul>
<li>配置 strongSwan：</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1"></a><a href="#__codelineno-10-1"><span class="linenos" data-linenos=" 1 "></span></a>cat &gt; /etc/ipsec.conf <span class="s">&lt;&lt;EOF</span>
<a id="__codelineno-10-2" name="__codelineno-10-2"></a><a href="#__codelineno-10-2"><span class="linenos" data-linenos=" 2 "></span></a><span class="s"># ipsec.conf - strongSwan IPsec configuration file</span>
<a id="__codelineno-10-3" name="__codelineno-10-3"></a><a href="#__codelineno-10-3"><span class="linenos" data-linenos=" 3 "></span></a><span class="s">conn myvpn</span>
<a id="__codelineno-10-4" name="__codelineno-10-4"></a><a href="#__codelineno-10-4"><span class="linenos" data-linenos=" 4 "></span></a><span class="s">  auto=add</span>
<a id="__codelineno-10-5" name="__codelineno-10-5"></a><a href="#__codelineno-10-5"><span class="linenos" data-linenos=" 5 "></span></a><span class="s">  keyexchange=ikev1</span>
<a id="__codelineno-10-6" name="__codelineno-10-6"></a><a href="#__codelineno-10-6"><span class="linenos" data-linenos=" 6 "></span></a><span class="s">  authby=secret</span>
<a id="__codelineno-10-7" name="__codelineno-10-7"></a><a href="#__codelineno-10-7"><span class="linenos" data-linenos=" 7 "></span></a><span class="s">  type=transport</span>
<a id="__codelineno-10-8" name="__codelineno-10-8"></a><a href="#__codelineno-10-8"><span class="linenos" data-linenos=" 8 "></span></a><span class="s">  left=%defaultroute</span>
<a id="__codelineno-10-9" name="__codelineno-10-9"></a><a href="#__codelineno-10-9"><span class="linenos" data-linenos=" 9 "></span></a><span class="s">  leftprotoport=17/1701</span>
<a id="__codelineno-10-10" name="__codelineno-10-10"></a><a href="#__codelineno-10-10"><span class="linenos" data-linenos="10 "></span></a><span class="s">  rightprotoport=17/1701</span>
<a id="__codelineno-10-11" name="__codelineno-10-11"></a><a href="#__codelineno-10-11"><span class="linenos" data-linenos="11 "></span></a><span class="s">  right=$VPN_SERVER_IP</span>
<a id="__codelineno-10-12" name="__codelineno-10-12"></a><a href="#__codelineno-10-12"><span class="linenos" data-linenos="12 "></span></a><span class="s">  ike=aes128-sha1-modp2048</span>
<a id="__codelineno-10-13" name="__codelineno-10-13"></a><a href="#__codelineno-10-13"><span class="linenos" data-linenos="13 "></span></a><span class="s">  esp=aes128-sha1</span>
<a id="__codelineno-10-14" name="__codelineno-10-14"></a><a href="#__codelineno-10-14"><span class="linenos" data-linenos="14 "></span></a><span class="s">EOF</span>
<a id="__codelineno-10-15" name="__codelineno-10-15"></a><a href="#__codelineno-10-15"><span class="linenos" data-linenos="15 "></span></a>
<a id="__codelineno-10-16" name="__codelineno-10-16"></a><a href="#__codelineno-10-16"><span class="linenos" data-linenos="16 "></span></a>cat &gt; /etc/ipsec.secrets <span class="s">&lt;&lt;EOF</span>
<a id="__codelineno-10-17" name="__codelineno-10-17"></a><a href="#__codelineno-10-17"><span class="linenos" data-linenos="17 "></span></a><span class="s">: PSK &quot;$VPN_IPSEC_PSK&quot;</span>
<a id="__codelineno-10-18" name="__codelineno-10-18"></a><a href="#__codelineno-10-18"><span class="linenos" data-linenos="18 "></span></a><span class="s">EOF</span>
<a id="__codelineno-10-19" name="__codelineno-10-19"></a><a href="#__codelineno-10-19"><span class="linenos" data-linenos="19 "></span></a>
<a id="__codelineno-10-20" name="__codelineno-10-20"></a><a href="#__codelineno-10-20"><span class="linenos" data-linenos="20 "></span></a>chmod <span class="m">600</span> /etc/ipsec.secrets
<a id="__codelineno-10-21" name="__codelineno-10-21"></a><a href="#__codelineno-10-21"><span class="linenos" data-linenos="21 "></span></a>
<a id="__codelineno-10-22" name="__codelineno-10-22"></a><a href="#__codelineno-10-22"><span class="linenos" data-linenos="22 "></span></a><span class="c1"># For CentOS and Fedora ONLY</span>
<a id="__codelineno-10-23" name="__codelineno-10-23"></a><a href="#__codelineno-10-23"><span class="linenos" data-linenos="23 "></span></a>mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old <span class="m">2</span>&gt;/dev/null
<a id="__codelineno-10-24" name="__codelineno-10-24"></a><a href="#__codelineno-10-24"><span class="linenos" data-linenos="24 "></span></a>mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old <span class="m">2</span>&gt;/dev/null
<a id="__codelineno-10-25" name="__codelineno-10-25"></a><a href="#__codelineno-10-25"><span class="linenos" data-linenos="25 "></span></a>ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
<a id="__codelineno-10-26" name="__codelineno-10-26"></a><a href="#__codelineno-10-26"><span class="linenos" data-linenos="26 "></span></a>ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
</code></pre></div>
<ul>
<li>配置 xl2tpd：</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1"></a><a href="#__codelineno-11-1"><span class="linenos" data-linenos=" 1 "></span></a>cat &gt; /etc/xl2tpd/xl2tpd.conf <span class="s">&lt;&lt;EOF</span>
<a id="__codelineno-11-2" name="__codelineno-11-2"></a><a href="#__codelineno-11-2"><span class="linenos" data-linenos=" 2 "></span></a><span class="s">[lac myvpn]</span>
<a id="__codelineno-11-3" name="__codelineno-11-3"></a><a href="#__codelineno-11-3"><span class="linenos" data-linenos=" 3 "></span></a><span class="s">lns = $VPN_SERVER_IP</span>
<a id="__codelineno-11-4" name="__codelineno-11-4"></a><a href="#__codelineno-11-4"><span class="linenos" data-linenos=" 4 "></span></a><span class="s">ppp debug = yes</span>
<a id="__codelineno-11-5" name="__codelineno-11-5"></a><a href="#__codelineno-11-5"><span class="linenos" data-linenos=" 5 "></span></a><span class="s">pppoptfile = /etc/ppp/options.l2tpd.client</span>
<a id="__codelineno-11-6" name="__codelineno-11-6"></a><a href="#__codelineno-11-6"><span class="linenos" data-linenos=" 6 "></span></a><span class="s">length bit = yes</span>
<a id="__codelineno-11-7" name="__codelineno-11-7"></a><a href="#__codelineno-11-7"><span class="linenos" data-linenos=" 7 "></span></a><span class="s">EOF</span>
<a id="__codelineno-11-8" name="__codelineno-11-8"></a><a href="#__codelineno-11-8"><span class="linenos" data-linenos=" 8 "></span></a>
<a id="__codelineno-11-9" name="__codelineno-11-9"></a><a href="#__codelineno-11-9"><span class="linenos" data-linenos=" 9 "></span></a>cat &gt; /etc/ppp/options.l2tpd.client <span class="s">&lt;&lt;EOF</span>
<a id="__codelineno-11-10" name="__codelineno-11-10"></a><a href="#__codelineno-11-10"><span class="linenos" data-linenos="10 "></span></a><span class="s">ipcp-accept-local</span>
<a id="__codelineno-11-11" name="__codelineno-11-11"></a><a href="#__codelineno-11-11"><span class="linenos" data-linenos="11 "></span></a><span class="s">ipcp-accept-remote</span>
<a id="__codelineno-11-12" name="__codelineno-11-12"></a><a href="#__codelineno-11-12"><span class="linenos" data-linenos="12 "></span></a><span class="s">refuse-eap</span>
<a id="__codelineno-11-13" name="__codelineno-11-13"></a><a href="#__codelineno-11-13"><span class="linenos" data-linenos="13 "></span></a><span class="s">require-chap</span>
<a id="__codelineno-11-14" name="__codelineno-11-14"></a><a href="#__codelineno-11-14"><span class="linenos" data-linenos="14 "></span></a><span class="s">noccp</span>
<a id="__codelineno-11-15" name="__codelineno-11-15"></a><a href="#__codelineno-11-15"><span class="linenos" data-linenos="15 "></span></a><span class="s">noauth</span>
<a id="__codelineno-11-16" name="__codelineno-11-16"></a><a href="#__codelineno-11-16"><span class="linenos" data-linenos="16 "></span></a><span class="s">mtu 1280</span>
<a id="__codelineno-11-17" name="__codelineno-11-17"></a><a href="#__codelineno-11-17"><span class="linenos" data-linenos="17 "></span></a><span class="s">mru 1280</span>
<a id="__codelineno-11-18" name="__codelineno-11-18"></a><a href="#__codelineno-11-18"><span class="linenos" data-linenos="18 "></span></a><span class="s">noipdefault</span>
<a id="__codelineno-11-19" name="__codelineno-11-19"></a><a href="#__codelineno-11-19"><span class="linenos" data-linenos="19 "></span></a><span class="s">defaultroute</span>
<a id="__codelineno-11-20" name="__codelineno-11-20"></a><a href="#__codelineno-11-20"><span class="linenos" data-linenos="20 "></span></a><span class="s">usepeerdns</span>
<a id="__codelineno-11-21" name="__codelineno-11-21"></a><a href="#__codelineno-11-21"><span class="linenos" data-linenos="21 "></span></a><span class="s">connect-delay 5000</span>
<a id="__codelineno-11-22" name="__codelineno-11-22"></a><a href="#__codelineno-11-22"><span class="linenos" data-linenos="22 "></span></a><span class="s">name &quot;$VPN_USER&quot;</span>
<a id="__codelineno-11-23" name="__codelineno-11-23"></a><a href="#__codelineno-11-23"><span class="linenos" data-linenos="23 "></span></a><span class="s">password &quot;$VPN_PASSWORD&quot;</span>
<a id="__codelineno-11-24" name="__codelineno-11-24"></a><a href="#__codelineno-11-24"><span class="linenos" data-linenos="24 "></span></a><span class="s">EOF</span>
<a id="__codelineno-11-25" name="__codelineno-11-25"></a><a href="#__codelineno-11-25"><span class="linenos" data-linenos="25 "></span></a>
<a id="__codelineno-11-26" name="__codelineno-11-26"></a><a href="#__codelineno-11-26"><span class="linenos" data-linenos="26 "></span></a>chmod <span class="m">600</span> /etc/ppp/options.l2tpd.client
</code></pre></div>
<p>至此 VPN 客户端配置已完成。按照下面的步骤进行连接。</p>
<p><strong><em>注：</em></strong>当你每次尝试连接到 VPN 时，必须重复下面的所有步骤。</p>
<ul>
<li>创建 xl2tpd 控制文件：</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1"></a><a href="#__codelineno-12-1"><span class="linenos" data-linenos="1 "></span></a>mkdir -p /var/run/xl2tpd
<a id="__codelineno-12-2" name="__codelineno-12-2"></a><a href="#__codelineno-12-2"><span class="linenos" data-linenos="2 "></span></a>touch /var/run/xl2tpd/l2tp-control
</code></pre></div>
<ul>
<li>重启服务：</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1"></a><a href="#__codelineno-13-1"><span class="linenos" data-linenos="1 "></span></a>service strongswan restart
<a id="__codelineno-13-2" name="__codelineno-13-2"></a><a href="#__codelineno-13-2"><span class="linenos" data-linenos="2 "></span></a><span class="c1"># 适用于 Ubuntu 20.04，如果 strongswan 服务不存在</span>
<a id="__codelineno-13-3" name="__codelineno-13-3"></a><a href="#__codelineno-13-3"><span class="linenos" data-linenos="3 "></span></a>ipsec restart
<a id="__codelineno-13-4" name="__codelineno-13-4"></a><a href="#__codelineno-13-4"><span class="linenos" data-linenos="4 "></span></a>
<a id="__codelineno-13-5" name="__codelineno-13-5"></a><a href="#__codelineno-13-5"><span class="linenos" data-linenos="5 "></span></a>service xl2tpd restart
</code></pre></div>
<ul>
<li>开始 IPsec 连接</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1"></a><a href="#__codelineno-14-1"><span class="linenos" data-linenos="1 "></span></a><span class="c1"># Ubuntu and Debian</span>
<a id="__codelineno-14-2" name="__codelineno-14-2"></a><a href="#__codelineno-14-2"><span class="linenos" data-linenos="2 "></span></a>ipsec up myvpn
<a id="__codelineno-14-3" name="__codelineno-14-3"></a><a href="#__codelineno-14-3"><span class="linenos" data-linenos="3 "></span></a><span class="c1"># CentOS and Fedora</span>
<a id="__codelineno-14-4" name="__codelineno-14-4"></a><a href="#__codelineno-14-4"><span class="linenos" data-linenos="4 "></span></a>strongswan up myvpn
</code></pre></div>
<ul>
<li>开始 L2TP 连接：</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1"></a><a href="#__codelineno-15-1"><span class="linenos" data-linenos="1 "></span></a><span class="nb">echo</span> <span class="s2">&quot;c myvpn&quot;</span> &gt; /var/run/xl2tpd/l2tp-control
</code></pre></div>
<ul>
<li>断开连接</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1"></a><a href="#__codelineno-16-1"><span class="linenos" data-linenos="1 "></span></a><span class="c1"># Ubuntu and Debian</span>
<a id="__codelineno-16-2" name="__codelineno-16-2"></a><a href="#__codelineno-16-2"><span class="linenos" data-linenos="2 "></span></a><span class="nb">echo</span> <span class="s2">&quot;d myvpn&quot;</span> &gt; /var/run/xl2tpd/l2tp-control
<a id="__codelineno-16-3" name="__codelineno-16-3"></a><a href="#__codelineno-16-3"><span class="linenos" data-linenos="3 "></span></a>ipsec down myvpn
<a id="__codelineno-16-4" name="__codelineno-16-4"></a><a href="#__codelineno-16-4"><span class="linenos" data-linenos="4 "></span></a>
<a id="__codelineno-16-5" name="__codelineno-16-5"></a><a href="#__codelineno-16-5"><span class="linenos" data-linenos="5 "></span></a><span class="c1"># CentOS and Fedora</span>
<a id="__codelineno-16-6" name="__codelineno-16-6"></a><a href="#__codelineno-16-6"><span class="linenos" data-linenos="6 "></span></a><span class="nb">echo</span> <span class="s2">&quot;d myvpn&quot;</span> &gt; /var/run/xl2tpd/l2tp-control
<a id="__codelineno-16-7" name="__codelineno-16-7"></a><a href="#__codelineno-16-7"><span class="linenos" data-linenos="7 "></span></a>strongswan down myvpn
</code></pre></div>
<ul>
<li><a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/clients-zh.md#使用命令行配置-linux-vpn-客户端">更多配置请参见</a></li>
</ul>
<h3 id="25-android-gui">2.5 Android GUI 客户端配置<a class="headerlink" href="#25-android-gui" title="Permanent link">&para;</a></h3>
<ul>
<li>参见：<a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#android">Android GUI 客户端配置</a></li>
</ul>
<h3 id="26-ios-gui">2.6 iOS GUI 客户端配置<a class="headerlink" href="#26-ios-gui" title="Permanent link">&para;</a></h3>
<ul>
<li>参见：<a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#android">iOS GUI 客户端配置</a></li>
</ul>
<h2 id="3">3. 故障排除<a class="headerlink" href="#3" title="Permanent link">&para;</a></h2>
<ul>
<li>3.1 <a href="https://github.com/wl4g-collect/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#故障排除">IKEv2 模式下客户端连接失败排除</a></li>
</ul>
<h2 id="4-faq">4. FAQ<a class="headerlink" href="#4-faq" title="Permanent link">&para;</a></h2>
<h3 id="41">4.1 目前已知问题<a class="headerlink" href="#41" title="Permanent link">&para;</a></h3>
<ul>
<li>本文已包含 Windows（IPsec/L2TP 模式和 IKEv2模式)、Linux（IPsec/L2TP 模式和 IKEv2模式）、Android、iOS 等客户端的配置，但可惜的是 Linux IKEv2 模式仅在 gnome（GUI）环境下测试成功，命令行环境下没有成功（仅测试 IPSec/L2TP(IKEv1) 通过），如需在全平台简单安全快速的部署 VPN 请参考：<a href="https://blogs.wl4g.com/archives/3754">异地组网之 OpenVPN 快速部署</a></li>
</ul>

              
            </article>
          </div>
        </div>
        
      </main>
      
        <footer class="md-footer">
  
  <div class="md-footer-meta md-typeset">
    <div class="md-footer-meta__inner md-grid">
      <div class="md-copyright">
  
  
    Made with
    <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
      Material for MkDocs
    </a>
  
</div>
      
    </div>
  </div>
</footer>
      
    </div>
    <div class="md-dialog" data-md-component="dialog">
      <div class="md-dialog__inner md-typeset"></div>
    </div>
    <script id="__config" type="application/json">{"base": "../../../..", "features": ["search.suggest", "search.highlight", "navigation.tabs", "navigation.expand", "toc.follow", "toc.integrate"], "search": "../../../../assets/javascripts/workers/search.5e67fbfe.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}, "version": {"default": "latest", "provider": "mike"}}</script>
    
    
      <script src="../../../../assets/javascripts/bundle.c44cc438.min.js"></script>
      
        <script src="../../../../static/js/util.js"></script>
      
    
  </body>
</html>